The difficulty in securing computer systems stems in large part from the increasing complexity of the modern information services and the advancing sophistication, pace, and variety of attack techniques. The problem is further exacerbated by the continued discovery of software bugs/vulnerabilities and the collective development of and experiments with new attacks over the Internet. These trends warrant a new thinking in computer security: there will always be attacks that are sophisticated and stealthy enough to penetrate even the best security measures and evade the most advanced intrusion detection systems. It follows that a critical information system should support intrusion tolerance to fend off or limit the damage caused by unknown and/or undetected attacks.
While intrusion detection and prevention has been the subject of extensive research and commercialization, intrusion tolerance has received less attention. In previous research, a novel approach to the intrusion tolerance problem called Self-Cleansing Intrusion Tolerance (SCIT) was developed. The underlying assumption of SCIT is that a server that has been performing services online, and as a result exposed to attacks, may be assumed compromised. Consequently, an online server is periodically cleansed to restore it to a known clean state, regardless of whether intrusion is detected or not. While this paranoid attitude may be overkill for an average information service, it is perfectly appropriate for critical infrastructure services or those whose breaches compromise national security or result in high pecuniary losses.
Applications of this technique were investigated for applications to server rotation and cleansing to firewalls, web servers, and DNS servers. Additionally, hardware solutions were devised to guarantee the incorruptibility of SCIT operations and a SCIT control algorithm was developed for use in SCIT server clusters. An important strength of SCIT is to minimize the window of exposure during which a server stays online and remains vulnerable to attack. The previous work shows that SCIT limits the exposure window to typically less than 10 minutes. What is needed is an enhanced SCIT system that may decrease exposure windows further without using customized and dedicated hardware.